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ALGORITHMS IN ALGEBRAIC NUMBER THEORY 



H. W. Lenstra, Jr. 

Abstract. In this paper we discuss the basic problems of algorithmic algebraic 
number theory. The emphasis is on aspects that are of interest from a purely mathe- 
matical point of view, and practical issues are largely disregarded. We describe what 
has been done and, more importantly, what remains to be done in the area. We hope 
to show that the study of algorithms not only increases our understanding of alge- 
braic number fields but also stimulates our curiosity about them. The discussion is 
concentrated of three topics: the determination of Galois groups, the determination 
of the ring of integers of an algebraic number field, and the computation of the group 
of units and the class group of that ring of integers. 



1. Introduction 

The main interest of algorithms in algebraic number theory is that they provide 
number theorists with a means of satisfying their professional curiosity. The praise 
of numerical experimentation in number theoretic research is as widely sung as 
purely numerological investigations are indulged in, and for both activities good 
algorithms are indispensable. What makes an algorithm good unfortunately defies 
definition — too many extra-mathematical factors affect its practical performance, 
such as the skill of the person responsible for its execution and the characteristics 
of the machine that may be used. 

The present paper addresses itself not to the researcher who is looking for a 
collection of well-tested computational methods for use on his recently acquired 
personal computer. Rather, the intended reader is the perhaps imaginary pure 
mathematician who feels that he makes the most of his talents by staying away 
from computing equipment. It will be argued that even from this perspective the 
study of algorithms, when considered as objects of research rather than as tools, 
offers rich rewards of a theoretical nature. 

The problems in pure mathematics that arise in connection with algorithms have 
all the virtues of good problems. They are of such a distinctly fundamental nature 
that one is often surprised to discover that they have not been considered earlier, 
which happens even in well-trodden areas of mathematics; and even in areas that 
are believed to be well-understood it occurs frequently that the existing theory 
offers no ready solutions, fundamental though the problems may be. Solutions that 
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have been found often need tools that at first sight seem foreign to the statement 
of the problem. 

Algebraic number theory has in recent times been applied to the solution of 
algorithmic problems that, in their formulations, do not refer to algebraic number 
theory at all. That this occurs in the context of solving diophantine equations 
(see, e.g., [72]) does not come as a surprise, since these lie at the very roots of 
algebraic number theory. A better example is furnished by the seemingly elementary 
problem of decomposing integers into prime factors. Among the ingredients that 
make modern primality tests work one may mention reciprocity laws in cyclotomic 
fields (see [3, 25, 24]), arithmetic in cyclic fields (see [46, 10]), the construction of 
Hilbert class fields of imaginary quadratic fields [5], and class number estimates 
of fourth degree CM- fields [1] . The best rigorously proved time bound for integer 
factorization is achieved by an algorithm that depends on quadratic fields (see 
[49]), and the currently most promising practical approach to the same problem, 
the number field sieve (see [17, 43, 44]), employs "random" number fields of which 
the discriminants are so huge that many traditional computational methods become 
totally inapplicable. The analysis of many algorithms related to algebraic number 
fields seriously challenges our theoretical understanding, and one is often forced to 
argue on the basis of heuristic assumptions that are formulated for the occasion. It is 
considered a relief when one runs into a standard conjecture such as the generalized 
Riemann hypothesis (as in [6, 15]) or Leopoldt's conjecture on the nonvanishing of 
the p-adic regulator [60] . 

In this paper we will consider algorithms in algebraic number theory for their own 
sake rather than with a view to any of the above applications. The discussion will be 
concentrated on three basic algorithmic questions that one may ask about algebraic 
number fields, namely, how to determine the Galois group of the normal closure 
of the field, or, more generally, of any polynomial over any algebraic number field; 
how to find the ring of integers of the field; and how to determine the unit group 
and the ideal class group of that ring of integers. These are precisely the subjects 
that are discussed in Algorithmic algebraic number theory by M. Pohst and H. 
Zassenhaus (Cambridge, 1989), but our point of view is completely different. Pohst 
and Zassenhaus present algorithms that "yield good to excellent results for number 
fields of small degree and not too large discriminant" [56, Preface], but our attitude 
will be decidedly and exclusively asymptotic. For the purposes of the present paper 
one algorithm is considered better than another if, for each positive real number 
N, it is at least N times as fast for all but finitely many values of the input data. 
It is clear that with this attitude we can make no claims concerning the prac;tieal 
applicability of any of the results that are achieved. In fact, following Archimedes 
[4] one should be able, on the basis of current physical knowledge, to find an upper 
estimate for all sets of numerical input data to which any algorithm will ever be 
applied, and an algorithm that is faster in all those finitely many instances may 
still be worse in our sense. 

To some people the above attitude may seem absurd. To the intended reader, 
who is never going to apply any algorithm anyway, it comes as a liberation and a 
relief. Once he explicitly gives up all practical claims he will realize that he can 
oc;cupy himself with algorithms without having to fear the bad dreams c;aused by 
the messy details and dirty tricks that stand between an elegant algorithmic idea 
and its practical implementation. He will find himself in the platonic paradise of 
pure mathematics, where a conceptual and concise version of an algorithm is valued 
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more highly than an ad hoc device that speeds it up by a factor of ten and where 
words have precise meanings that do not change with the changing world. He will 
never need to enter the dark factories that in his imagination are populated by 
applied mathematicians, where boxes full of numbers that they call matrices are 
carried around and where true electronic computers are fed with proliferating triple 
indices. And in his innermost self he will know that in the end his own work will 
turn out to have the widest application range, exactly because it was not done with 
any specific application in mind. 

There is a small price to be paid for admission to this paradise. Algorithms and 
their running times can only be investigated mathematically if they are given exact 
definitions, and this can apparently be done only if one employs the terminology 
of theoretical computer science, which our intended reader unfortunately does not 
feel comfortable with either. It is only out of respect for his feelings that I have 
not called this paper Complexity of algorithms in algebraic number theory, which 
would have described its contents more accurately. 

Although it is, from a rigorous mathematical point of view, desirable that I define 
what I mean by an algorithm and its running time, I will not do so. My main excuse 
is that I do not know these definitions myself. Even worse, I never saw a treatment 
of the appropriate theory that is precise, elegant, and convenient to work with. It 
would be a laudable enterprise to fill this apparent gap in the literature. In the 
meantime, I am happy to show by example that one can avoid paying the admission 
price, just as not all algebraists arc experts on set theory or algebraic geometers 
on category theory. The intuitive understanding that one has of algorithms and 
running times, or of sets and categories, is amply sufficient. Exact definitions 
appear to be nc;c;cssary only when one wishes to prove that algorithms with certain 
properties do not exist, and theoretical computer science is notoriously lacking in 
such negative results. The reader who wishes to provide his own definitions may 
wish to consult [74] for an account of the pitfalls to be avoided. He should bear in 
mind that all theorems in the present paper should become formal consequences of 
his definitions, which makes his task particularly academic. 

My intended reader may have another allergy, namely, for constrictive mathe- 
matics, in which purely existential proofs and the law of the excluded middle are not 
accepted. This has only a superficial relationship to algorithmic mathematics. Of 
course, it often happens that one c;an obtain a good algorithm by just transcribing 
an essentially constructive proof, but such algorithms do not tend to be the most 
interesting ones; many of them are mentioned in §2. In the design and analysis of 
algorithms one gladly invokes all the help that existing pure mathematics has to 
offer and often some not-yet-existing mathematics as well. 

For an account of algorithms in algebraic number theory that emphasizes the 
practical aspects rather than complexity issues we refer to the forthcoming book 
by Cohen [23]. 

In §2 we cover the basic terminology and the basic auxiliary results to be used in 
later sections. In particular, we discuss several fundamental questions that, unlike 
integer factorization, admit a satisfactory algorithmic treatment. These include 
questions related to finitely generated abelian groups, to finite fields, and to the 
factorization of polynomials over number fields. 

Section 3 is devoted to the problem of determining Galois groups. We review 
the little that has been done on the complexity of this problem, including the 
pretty result of Landau and Miller [36] that solvability by radicals can be decided 
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efficiently. We also point out several directions for further research. 

In §4 we discuss the problem of determining the ring of integers of a given 
algebraic number field. The main result is a negative one — the problem is in many 
ways equivalent to the problem of finding the largest square factor of a given positive 
integer, which is intractable at present. Nevertheless, we will see that one can get 
quite close. There is an interesting connection with the resolution of plane curve 
singularities that remains to be exploited. 

Section 5 considers the problem of determining the unit group O* and the ideal 
class group CI O of the ring of integers O of a given number field. Showing that these 
are effectively computable is not entirely trivial, and since most textbooks are silent 
on this point, I treat it in some detail. We shall see that the existing complexity 
estimates for this problem still leave room for improvement, and what we have to 
say is far from conclusive. In §6 we prove a few explicit bounds concerning units and 
class groups that are needed in §5. Several results in these two sections could have 
been formulated in terms of the divisor class group PiCc O that appears in Arakelov 
theory (see [70, §1]) and that already appeared in the context of algorithms (see [65, 
45]). Knowing the group PiCc O is equivalent to knowing both O* and CIO, which 
may explain why algorithms for computing O* and algorithms for computing CI (9 
are often inextricably linked. It also explains why, contrary to many authors in the 
field, I prefer to think of determining O* and determining CIO as a single problem. 

The three basic questions that arc addressed in this progress report still offer 
ample opportunities for additional progress. Among the many other algorithmic 
questions in algebraic number theory that merit attention we mention the problem 
of tabulating number fields, problems from class field theory such as the calculation 
of Artin symbols, problems concerning quadratic forms, and the analogues of all 
problems discussed in this paper for function fields of curves over finite fields. 

2. Preliminaries 

2.1. Algorithms and complexity. It is assumed that the reader has an intuitive 

understanding of the notion of an algorithm as being a recipe that given one finite 
sequence of nonnegative integers, called the input data, produces another, called 
the output. Formally, an algorithm may be defined as a Turing machine, but for 
several of our results it is better to choose as our "machine model" an idealized 
computer that is more realistic with respect to its running time, which is another 
intuitively clear notion that we do not define. We refer to [74] and the literature 
given there for a further discussion of these points. 

The length of a finite sequence of nonnegative integers ni, n2, . . . , nj is defined 
to be Yl!^i=i log("i + 2). It must informally be thought of as proportional to the 
number of bits needed to spell out the Ui in binary. By analyzing the complexity 
of an algorithm we mean in this paper finding a reasonably sharp upper bound for 
the running time of the algorithm expressed as a function of the length of the input 
data. This should, more precisely, be called time complexity, to distinguish it from 
space complexity. An algorithm is said to be polynomial-time or good if its running 
time is {I + 2)*^^^^ where I is the length of the input. Studying the complexity 
of a problem incians finding an algorithm for that problem of the smallest possible 
complexity. In the present paper we consider the complexity analysis complete 
when a good algorithm for a problem has been found, and we will not be interested 
in the value of the O-constant. Informally, a problem has a good algorithm if an 
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instance of the problem is almost as easily solved as it is formulated. 

Sometimes we will refer to a probabilistic algorithm, which is an algorithm that 
may use a random number generator for drawing random bits. One formalization 
of this is a nondeterministic Turing machine (see [74]). Unless we use the word 
probabilistic, we do not allow the use of random number generators, and if we wish 
to emphasize this we talk of deterministic algorithms. In the case of a probabilistic 
algorithm, the running time and the output are not determined by the input alone, 
but both have, for each fixed value of the input data, a distribution. The expected 
running time of a probabilistic algorithm is the expectation of the running time for 
a given input. Studying the complexity of a probabilistic algorithm means finding 
an upper bound for the expected running time as a function of the length of the 
input. For a few convenient rules that can be used for this purpose we refer to 
[49, §12]. A probabilistic algorithm is called good if its expected running time is 
{I + 2)^^^\ where / is the length of the input. 

Parallel algorithms have not yet played any role in algorithmic number theory, 
and they will not be considered here. 

Many results in this paper assert that "there exists" an algorithm with certain 
properties. In all cases, such an algorithm can actually be exhibited, at least in 
principle. 

All O-constants are absolute and effectively computable unless indicated other- 
wise. 

2.2. Encoding data. As stated above, the input and the output of an algorithm 
consist of finite sequences of nonnegative integers. However, in the mathematical 
practice of thinking and writing about algorithms one prefers to work with math- 
ematical concepts rather than with sequences of nonnegative integers that encode 
them in some manner. Thus, one likes to say that the input of an algorithm is 
given by an algebraic number field rather than by the sequence of coefficients of 
a polynomial that defines the field; and it is both shorter and clearer to say that 
one computes the kernel of a certain endomorphism of a vector space than that one 
determines a matrix of which the columns express a basis for that kernel in terms 
of a given basis of the vector space. To justify such a concise mode of expression 
we have to agree on a way of encoding entities such as number fields, vector spaces, 
and maps between them by means of finite sequences of nonnegative integers. That 
is one of the purposes of the remainder of this section. Sometimes there is one obvi- 
ous way to do the encoding, but often there arc several, in which case the question 
arises whether there is a good algorithm that passes from one encoding to another. 
When there is, we will usually not distinguish between the encodings, although for 
practical purposes they need not be equivalent. 

We shall see that the subject of encoding mathematical entities suggests several 
basic questions, but we will not pursue these systematically. We shall not do much 
more than what will be needed in later sections. 

2.3. Elementary arithmetic. By Z we denote the ring of integers. Adding a sign 
bit we can clearly use nonnegative integers to represent all integers. The traditional 
algorithms for addition and subtraction take time 0{l), where I is the length of the 
input. The ordinary algorithms for multiplication and division with remainder, as 
well as the Euclidean algorithm for the computation of greatest common divisors, 
have running time 0{P). With the help of more sophisticated methods this can be 
improved to for Z — > oo (see [33]). An operation that is not known to be 
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doable by means of a good algorithm is decomposing a positive integer into prime 
numbers (see [33, 50, 41]), but there is a good probabihstic algorithm for the related 
problem of deciding whether a given integer is prime [1]. No good algorithms are 
known for the problem of recognizing squarefree numbers and the problem of finding 
the largest square dividing a given positive integer, even when the word "good" is 
given a less formal meaning (sec [43, §2]). 

For some algorithms a prime number p is part of the input. In such a case, the 
prime is assumed to be encoded by itself rather than that, for example, n stands 
for the nth prime. Since we know no good deterministic algorithm for recognizing 
primes, it is natural to ask what the algorithm does if p is not prime or at least not 
known to be prime. Some algorithms may discover that p is nonprime, either be- 
cause a known property of primes is contradicted in the course of the computations, 
or because the algorithm spends more time than it should; such algorithms may be 
helpful as primality tests. Other algorithms may even give a nontrivial factor of p, 
which may make them applicable as integer factoring algorithms. For both types 
of algorithms, one can ask what can be deduced if the algorithm does appear to 
terminate successfully. Does this assist us in proving that p is prime? What do we 
know about the output when we do not assume that p is prime? An algorithm for 
which this question has not been answered satisfactorily is Schoof 's algorithm for 
counting the number of points on an elliptic curve over a finite field [62]. 

Rational numbers can be represented as pairs of integers in an obvious manner, 
and all field operations can be performed on them in polynomial time. 

Let n be a positive integer. The elements of the ring Z/nZ are assumed to be 
encoded as nonnegative integers less than n. The ring operations can be performed 
in polynomial time. An ideal I C Z/nZ can be encoded either by means of its 
index d = [Z /nZ : /] , which completely determines it and which can be any divisor 
of n, or by means of a finite sequence of elements that generates /, or by means 
of a single generator. An element of I can be represented either as an element of 
Z /nZ that is divisible by d, or as an explicit Z /nZ-linear combination of the given 
generators of /, or as an explicit multiple of a single given generator. Using the 
extended Euclidean algorithm one easily sees that one can pass from any of these 
encodings of ideals and their elements to any other in polynomial time and that 
one can likewise test inclusion and equality of given ideals. In particular, one can 
decide in polynomial time whether a given nonzero element of Z/nZ is a unit, if 
so find its inverse, and if not so find a nontrivial divisor of n. Taking n = p to 
be prime we conclude that we can perform all field operations in Fp = Zi/pZ in 
polynomial time. 

2.4. Linear algebra. Let be a field, and suppose that one has agreed upon an 
encoding of its elements, as is the case when F is the field Q of rational numbers 
or the field Fp for some prime number p (see 2.3). Giving a finite-dimensional 
vector space over F simply means giving a nonnegative integer n, which is the 
dimension of the vector space. This number n is to be given in unary, i.e., as 
a sequence 1, 1, . . . , 1 of n ones, so that the length of the encoding is at least 
n. This is because almost any algorithm related to a vector space of dimension 
n takes time at least n. The elements of such a vector space are encoded as se- 
quences of n elements of F. Homomorphisms between vector spaces are encoded as 
matrices. A subspace of a vector space can be encoded as a sequence of elements 
that spans the subspace, or as a sequence of elements that forms a basis of the 
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subspace, or as the kernel of a homomorphism from the vector space to another 
one. For all fields F that we shall consider the traditional algorithms from linear 
algebra, which are based on Gaussian elimination, are polynomial-time: algorithms 
that pass back and forth between different representations of subspaces, algorithms 
that decide inclusion and equality of subspaces, that form sums and intersections 
of subspaces, algorithms that construct quotient spaces, direct sums, and tensor 
products, algorithms for computing determinants and characteristic polynomials 
of endomorphisms, and algorithms that decide whether a given homomorphism is 
invertible and if so construct its inverse. The proofs are straightforward, the main 
problem being to find upper bounds for the sizes of the numbers that occur in the 
computations, for example when F = Q,. 

If one applies any of these algorithms to = Z/pZ without knowing that p is 
prime, then one either finds a nontrivial divisor of p because some division by a 
nonzero element fails, or the algorithm performs successfully as if F were a field. In 
the latter case it is usually easy to interpret the output of the algorithm in terms 
of free Z/pZ-modules (see [14]), thus avoiding the assumption that p be prime. 

2.5. Finitely generated abelian groups. Specifying a finitely generated abelian 
group is done by giving a sequence of nonnegative integers di. d2, ■ ■ ■ , dt\ the group 
is then 0*^^ T^jdiL, which enables us to represent the elements of the group by 
means of sequences of t integers. In our applications the group is usually either 
finite (all di > 0) or free abelian (all di = 0). To make the di unique one may 
require that di divides di+i for 1 < i < t; this can be accomplished in polynomial 
time. One should not require the di to be prime powers, since that is, for all we 
know, algorithmically hard to achieve. Starting from this description of finitely 
generated abelian groups, one can encode maps and subgroups in various ways 
that are reminiscent of 2.4 and that are left to the imagination of the reader. He 
may also formulate the analogues of the problems mentioned in 2.4 for the current 
case and construct good algorithms for them using Hermite and Smith reduction of 
integer matrices (see [29]). The main difficulty is to keep the intermediate numbers 
small. 

2.6. Basis reduction. In many cases a finitely generated free abelian group L 
is equipped with a bilinear symmetric map L x L ^ R that induces a Euclidean 
structure on Lr, = L 0z here R denotes the field of real numbers. For example, 
this is the case if L is a subgroup of Z", with the ordinary inner product. It is also 
the case if L is a finitely generated subgroup of the additive group of an algebraic 
number field K (see 2.9), the bilinear symmetric map in this case being induced 
by (x, x) = jca;!^, where a ranges over the field homomorphisms from K to the 
field C of complex numbers. In such cases it is often desirable to find a reduced 
basis of L over Z, i.e., a basis of which the elements are "short" in a certain sense. 
If the symmetric matrix that defines the bilinear map on a given basis of L is known 
to a certain accuracy, then a reduced basis can be found by means of a reduction 
algorithm. The complexity of such an algorithm depends on the precise notion of 
"reduced basis" that one employs. In [42] one finds a good reduction algorithm 
that will suffice for our purposes. Sec [30] for further developments. 

2.7. Rings. We use the convention that rings have unit elements, that a subring 
has the same unit element, and that ring homomorphisms preserve the unit element. 
The characteristic char A of a ring A is the nonnegative integer that generates the 
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kernel of the unique ring homomorphism Z — > A. The group of units of a ring A is 
denoted by A*. All rings in this paper are supposed to be commutative. 

Almost any ring that we need to encode in this paper has an additive group that is 
either finitely generated or a finite-dimensional vector space over Q; for exceptions, 
see 2.11. Such a ring A is encoded by giving its underlying abelian group as in 2.5 
or 2.4 together with the multiplication map A ® A ^ A. It is straightforward to 
decide in polynomial time whether the multiplication map satisfies the ring axioms. 

Ideals are encoded as subgroTips or, cquivalcntly, as kernels of ring homomor- 
phisms. There arc good algorithms for computing the sum, product, and intersec- 
tion of ideals, as well as the ideal I : J — {x G A: xJ C /} for given I and J, and 
the quotient ring of A modulo a given ideal. 

A polynomial over a ring is always supposed to be given by means of a complete 
list of its coefficients, including the zero coefficients; thus we do not work with 
sparse polynomials of a very high degree. 

Most finite rings that have been encountered in algorithmic number theory "try 
to be fields" in the sense that one is actually happy to find a zero-divisor in the 
ring. This applies to the way they occur in §4 and also to the application of finite 
rings in primality testing [46, 10]. Nevertheless, it seems of interest to study finite 
rings from an algorithmic point of view for their own sake. Testing whether a 
given finite ring is local can be done by a good probabilistic algorithm, but finding 
the localizations looks very difficult. Testing whether it is reduced or a principal 
ideal ring also looks very difficult, but there may be a good algorithm for deciding 
whether it is quasi- Frobenius. I do not know whether isomorphism can be tested 
in polynomial time. Many difficulties are already encountered for finite rings that 
are Fp-algebras for some prime number p. Two finite etale Fp-algebras can be 
tested for isomorphism in polynomial time (cf. [14]), but there is no known good 
deterministic algorithm for finding the isomorphism if it exists; if they are fields, 
there is, but the proof depends on ring theory (see [48]). 

2.8. Finite fields. Let p he a prime number, n a positive integer, and q = p". 

A finite field of cardinality q is encoded as a ring, as in 2.7. This comes down 
to specifying p, n, as well as a system of n^^ elements aijk of Fp with the property 
that there is a basis ei, 62, ... , e„ of F^ over Fp such that CiCj = aijkCk for 
all i, j. We refer to [48] for a description of good algorithms for various funda- 
mental problems: performing the field operations in a given finite field, as well 
as exponentiation and the application of automorphisms; finding all subfields of a 
given finite field Fg, finding the irreducible polynomial of a given element of F^ 
over a given subfield, finding a primitive element of Fg, i.e., an element a € Fg 
with Ff^ = Fp{a), finding a normal basis of F, over a given subfield, and finding all 
field homomorphisms and isomorphisms from a given finite field to another. Most 
of these algorithms rely heavily on linear algebra. 

Given a positive integer p and a system of elements aijk of Z/pZ, how does one 
decide whether they specify a field F,, as above? This is at least as hard as testing 
p for primality, for which no good deterministic algorithm is known. However, this 
is the only obstruction: there is a good algorithm that given p and the atjk either 
shows that they do not define a field, or shows that if p is prime they do. Namely, 
one runs the algorithms mentioned above for finding a primitive element a and its 
minimal polynomial / over Z/pZ, just as if one is working with a field, and one 
verifies that the map sending X to a induces an isomorphism from (Z/pZ)[X]/(/) 
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to the structure that one is working with; if this is not true, or if anything went 
wrong during the course of the algorithm, one does not have a field; if it is, then as 
a final test one decides whether / is irreducible over Z/pZ, which for prime p can 
be done by means of a good algorithm (see [38, 47] and the references given there). 

There are also problems for which no good algorithm is known. One is the 
problem of constructing Fpn for a given prime p and a given positive integer n, or, 
equivalently, constructing an irreducible polynomial / G Fp[X] of degree n; here n 
is supposed to be given in unary (cf. 2.4). If one accepts the generalized Riemann 
hypothesis then there is a good algorithm for doing this [2]. There is also a good 
probabilistic algorithm for this problem, and a deterministic algorithm that runs in 
^ times polynomial time [66] . 

An important problem, which will come up several times in this paper, is the 
problem of factoring a given polynomial / in one variable over a given finite field 
Fpn. No good algorithm is known for this problem, even when the generalized 
Riemann hypothesis is assumed. There does exist a good probabilistic algorithm 
and a deterministic algorithm that runs in ^^p times polynomial time [67]; if p is 
fixed, or smaller than the degree of /, then the latter algorithm is good. There also 
exists a good algorithm that, given / e Fp^[X], determines the factorization type 
of /, i.e., the number of irreducible factors and their degrees and multiplicities. We 
refer to [47] for a further discussion. 

Algorithmic problems relating to the multiplicative group of finite fields, such as 
the discrete logarithm problem, are generally very difficult, see [53, 57, 41, 27, 60, 
51]. 

2.9. Number fields. By a number fi,eld or an algebraic number field we mean in 
this paper a field extension K of finite degree of the field Q of rational numbers. 
For the basic theory of algebraic number fields, see [37, 75, 20]. 

An algebraic number field K is encoded as its underlying Q-vector space together 
with the multiplication map K (g)Q K ^ K, a,s in 2.7; in other words, giving K 
amounts to giving a positive integer n and a system of rational numbers aijk 
that describe the multiplication in X on a vector space basis of K over Q (cf. 2.8 
above). As in [48, §2], one shows that the field operations in a number field can 
be performed in polynomial time. Using standard arguments from field theory one 
shows that there are good algorithms for determining the irreducible polynomial of 
a given element of K over a given subfield and for finding a primitive element of K, 
i.e., an element a e for which K = Q(a). It follows that giving a number field 
is equivalent to giving an irreducible polynomial / e Q[-^] and letting the field be 
Q[X]/fQ[X]. 

Polynomials in one variable with coefficients in an algebraic number field can be 
factored into irreducible factors in polynomial time. This is done with the help of 
basis reduction, see [42, 35, 39, 40]. We note two consequences. 

First of all, from the argument given in 2.8 one sees that there is a good algorithm 
for deciding whether a given system of rational numbers defines a number field. 
Secondly, given two number fields K = Q(a) and K' , one can decide whether 
or not they are isomorphic, and if so, find all isomorphisms, in polynomial time. 
To do this, one factors the irreducible polynomial / of a over Q into irreducible 
factors in the ring if' [AT], and one observes that the linear factors are in bijective 
correspondence with the field homomorphisms K ^ K'\ such a field homomorphism 
is an isomorphism if and only if the two fields have the same degree over Q. 
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With K = K' we see from the above that one can also determine all automor- 
phisms of K, and composing them one can make a complete multiplication table 
for the group Aut K of field automorphisms of K, all in polynomial time. 

In the proof of 3.5 we shall see that all maximal proper subfields of a given 
number field of degree n can be found in polynomial time. Finding all subfields 
is asking too much, since the number of subfields is not polynomially bounded. 
I do not know whether all minimal subfields different from Q can be found in 
polynomial time, nor whether their number is n'^^^K Intersections and composites 
of given subfields can be found by means of linear algebra. 

We stress that for our algorithms the number field K is considered to be variable 
rather than fixed, and that we wish our running time estimates to be uniform in 



2.10. Orders. An order in a number field K of degree n is a subring A of K 
of which the additive group is isomorphic to Z". Among all orders in K there is 
a unique maximal one, which is called the ring of integers of K and denoted by 
O. The orders in K are precisely the subrings of O of finite additive index. The 
discriminant A a of an order A with Z-basis u)i,lj2, ■ ■ ■ , w„ is the determinant of the 
matrix {Tr{uiUj))ij, where Tr: ^ Q is the trace map. The discriminant of every 
order is a nonzero integer. The discriminant of O is also called the discriminant of 
K over Q and is simply denoted by A. 

There are several ways of encoding an order ^ in a number field K. One is 
by specifying A as a ring as in 2.7, which amounts to giving n and a system of 

integers aijk; from A ®2. Q = it follows that the same data also encode K. 
Another is by specifying K as well as a sequence of elements of K that generates 
A as a ring, or as an abelian group. We leave it to the reader to check that there 
are good algorithms for transforming all those encodings into each other. 

Given a number field K one can construct an order in K in polynomial time, 
as follows. Let rational numbers a^fc be given that describe the multiplication 
on a Q-basis ei = 1, ^2, . . . , e„ for K, and let d be the least common multiple 
of the denominators of the a^fc. Then A = Z + 5^"^2 Zdcj is an order in K. In 
many cases one knows the irreducible polynomial / of a primitive element a oi K 
over Q. If / G Z[X], then one can take for A the "equation order" Z[a], which 
as a ring is isomorphic to Z[X]//Z[X]. If / does not belong to Z[X], then one 
can either replace a by ma for a suitable positive integer m, or use a little known 
generalization of the equation order, namely, the ring 



To find a Z-basis for this ring, let m be the least positive integer for which the 
polynomial g = mf = ^^"=0 "^j^* coefficients in Z (with a„ = m); then 



These are exactly the rings A for which Spec A is isomorphic to a "horizontal" prime 
divisor of the projective line over Z. Many results that are known for equation 



K. 
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orders have direct analogues for rings of this type; for example, the discriminant of 
A equals the discriminant of g. 

Applying basis reduction to a given order A as in 2.6, one can find a Z-basis for A 
with the property that the integers a^fc that express multiplication in this basis sat- 
isfy aijk = |A^|'^("). This shows that A can be encoded by means of data of length 
0(n^(2 + log|Ayi|)), and that there is a good algorithm for transforming a given 
encoding into one satisfying this bound. From the inequality n < 2(log lA^D/logS, 
which is valid for all A ^ Z, one sees that the bound is (2 + log |A^|)'^(^). It is 
often convenient to assume that the given encoding of A satisfies this bound, and 
to estimate running times in terms of \Aa\- 

Let A be an order in a number field K of degree n. By a fractional ideal of A 
we mean a finitely generated nonzero A-submodule of K. The additive group of 
a fractional ideal is isomorphic to Z". One can compute with fractional ideals as 
with ideals (see 2.7). 

2.11. Local fields. A local field is a locally compact, nondiscrete topological field. 
Such a field is topologically isomorphic to the field R of real numbers, or to the 
field C of complex numbers, or, for some prime number p, to a finite extension of 
the field Qp of p-adic numbers, or, for some finite field E, to the field E{{t)) of 
formal Laurent series over E. A local field is uncountable, which implies that we 
have to be satisfied with specifying its elements only to a certain precision. The 
discussion below is limited to the case that the field is non-archimedean, i.e., not 
isomorphic to R or C. 

The complexity theory of local fields has not been developed as systematically 
as one might expect on the basis of their importance in number theory (see [19]). 
The first thing to do is to develop algorithms for factoring polynomials in one 
variable to a given precision; see [21, 14] and §4 below. Here the incomplete solution 
of the corresponding problem over finite fields (see 2.8) causes a difficulty; we 
are forced to admit probabilistic algorithms, or to allow the running time to be 
y/p times polynomial time, where p denotes the characteristic of the residue class 
field, or to avoid the need for completely factoring polynomials. Once one can 
factor polynomials, it is likely that satisfactory algorithms can be developed for the 
calculation of ramification indices and residue class field degrees of finite extensions 
of non-archimedean local fields. Some further problems are mentioned at the end 
of §3. 

3. Galois groups 

In this section we are concerned with the following problem. 

Problem 3.1. Given an algebraic number field K and a nonzero polynomial / G 
ii'[X], determine the Galois group G of / over K. Can this be done in polynomial 
time? 

In the sequel we will always assume that the polynomial / is squarefree. This can 
be accomplished by means of a good algorithm, which replaces / by // gcd(/, /'). 
We denote the degree of / by n. 

We should specify how we want the algorithm to describe G. One possibility is to 
require that the algorithm comes up with a complete multiplication table of a finite 
group that is isomorphic to G, but this has an important shortcoming. Namely, 
the group may be very large in comparison to the length of the input, and it may 
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not be possible to write down such a complete multiplication table in polynomial 
time, let alone calculate it. If we insist on a complete multiplication table, then 
"polynomial time" in Problem 3.1 should be taken to mean: polynomial time in the 
combined lengths of the input plus output. Theorem 3.2 below shows that Problem 
3.1 does in this sense have a polynomial time solution. 

If we are interested in more efficient algorithms, we should look for a more concise 
way of describing G. For this, we view G as a permutation group of the zeroes of 
/ rather than as an abstract group. Numbering the zeroes we see that G may be 
regarded as a subgroup of the symmetric group 5„ of order n!; this subgroup is 
determined only up to conjugacy due to the arbitrary choice of the numbering of 
the zeroes. Instead of asking for a multiplication table of G we shall ask for a list 
of elements of Sn that generate G. Every subgroup of 5„ has a system of at most 
n—1 generators (see [52, Lemma 5.2]), and these can be specified using 0{n^ logn) 
bits. This is bounded by a polynomial function of the length of the input, since the 
latter is at least n. 

This formulation of the problem still leaves something to be desired; namely, 
we do not ask how the numbering of the zeroes of / is related to other ways in 
which zeroes of / may be specified: for example, as complex numbers to a certain 
precision, for a suitable embedding K ^ C. or similarly as p-adic numbers for a 
suitable prime number p, or as elements of an abstractly defined splitting field or of 
one of its subfields. However, even without such a refined formulation the problem 
appears to be hard enough. 

It should be remarked that a set of generators of a subgroup G of Sn can be used 
to answer, in polynomial time, several natural questions about G. For example, 
one can determine its order; one can decide whether a given element of Sn belongs 
to G; one can, for a given prime p, determine generators for a Sylow p-subgroup of 
G; one can find a composition series for G and name the isomorphism types of its 
composition factors; in particular, one can decide whether G is solvable. For more 
examples, proofs, and references, see [32]. It may be that some of the ideas that 
underlie this theory, which depends on the classification of finite simple groups, will 
play a role in a possible solution of Problem 3.1. 

The following result, due to Landau [35], expresses that the possibility that G is 
very large is the only obstruction to finding a good algorithm for Problem 3.1. 

Theorem 3.2. There is a deterministic algorithm that given K and f as in Prob- 
lem 3.1 and a positive integer b decides whether the Galois group G has order at 
most b, and if so gives a complete list of elements of G, and that runs in time 
{b + l)^^^\ where I is the length of the data specifying K and f . 

The algorithm is obtained from the standard textbook construction of a splitting 
field of / over K. One first factors / into irreducible factors in A'[X]. If all factors 
are linear, then the splitting field is K itself. Otherwise, one passes to the field 
L = K[X]/ gK[X], where g is one of the nonlinear irreducible factors of /. Then a 
splitting field of / over L is also one over K . so applying the algorithm recursively 
one can determine a splitting field of / over K. If at any stage during the recursion 
it happens that one obtains a field that has degree larger than b over the initial 
field K , then =f^G > 6, and one stops. If this does not happen, then one eventually 
arrives at a splitting field M of / over K. As in 2.9 one can determine the group 
Gal{M/K) of all ii'-automorphisms of M, and this is G. It is then easy to make a 
multiplication table for G and to find an embedding of G into the symmetric group 
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of the set of zeroes of /. 

One sees from Theorem 3.2 that G can be determined in time . Since 

#6* < n\, it follows that for bounded n Problem 3.1 is solved in the sense that there 
is a polynomial time solution. This is an example of a complexity result that does 
not adequately reflect the practical situation: the practical problem of determining 
Galois groups is not considered to be well solved, even though the algorithms that 
are actually used nowadays always require n to be bounded in fact, each value 
of n typically has its own algorithm (cf. [69, 26]), which does not follow the crude 
approach outlined above. 

Corollary 3.3. There is a good algorithm that given K and f decides whether G 
is abelian, and determines G if G is abelian and f is irreducible. 

For irreducible / this is easily deduced from Theorem 3.2 with b = n, since a 
transitive abelian permutation group of degree n has order n. For reducible / one 
uses that the Galois group of / is abelian if and only if the Galois group of each 
irreducible factor of / is abelian. 

For reducible /, this algorithm does not determine the Galois group, and it is 
not clear whether this can be done in polynomial time. The following problem 
illustrates the difficulty. 

Problem 3.4. Given an algebraic number field K and elements ai, 02, . . . , at G K, 
determine the Galois group of 111=1 ~ "^j) over K. Is there a good algorithm 
for doing this? 

For K = Q this is indeed possible. For general algebraic number fields one can 
probably do it if one assumes the generalized Riemann hypothesis. Without such 
an assumption already the case that all are units of the ring of integers of K is 
difficult to handle. In any case, the algorithm from Theorem 3.2 is in general too 
slow. 

The following pretty result is due to Landau and Miller [36]. It shows that one 
can decide in polynomial time whether / is solvable by radicals over K. 

Corollary 3.5. There is a good algorithm that given K and f decides whether G 
is solvable. 

As in the proof of Corollary 3.3, we may assume that / is irreducible. If there 
were a bound of the form nP^^^ for the order of a solvable transitive permutation 
group of degree n, then we could proceed in the same way as for abelian groups. 
However, no such bound exists, since for every integer fc > there is a solvable 
transitive permutation group of degree n = 2^ and order 2"^^. Instead, one uses 
that the order of a •primitive solvable permutation group of degree n does have an 
upper bound of the form n'~'^^^ (see [54]). By Galois theory, the Galois group G of 
/ is primitive if and only if there are no nontrivial intermediate fields between K 
and K{q), where /(a) = 0. To reduce the general case to this situation, it suffices 
to find a chain of fields K = Ka C Ki C ■ ■ ■ C K-i = K{a) that cannot be refined, 
since G is solvable if and only if for each i the Galois closure of Ki C ifj+i has a 
solvable Galois group. Such a chain can be found inductively if one can, among all 
intermediate fields K d L C K{a) with L 7^ K{a). find a maximal one. This is 
done as follows. Factor the polynomial / into monic irreducible factors over K{a). 
One of the factors ]s X — a. For each other irreducible factor g we define a subfield 
Lg ^ K{a) containing K as follows. If g is linear, g = X — (3, then K{a) has a 
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unique A'-automorphism a with oa = (3, and we let Lg be the field of invariants 
of a. If g is nonlinear, then let /3 be a zero of g in an extension field of K{a.), and 
Lg = K{a) n K{P). I claim that all maximal subfields are among the Lg, so that 
we can find a maximal subfield by choosing a field Lg with the largest degree over 
K. The correctness of the claim follows by Galois theory from the following purely 
group theoretic statement. Let G be a finite group, H C J C G subgroups with 
H ^ J, and assume that there is no subgroup I oiG with HcIcJ,H^I^J; 
then there exists a & G — H such that 

{H,a)=J iiaHa-^=H, 
{H, aH<j-^) = J if (TffCT-^ ^ H. 

In fact, it suffices to choose a € J — H . 

This concludes the sketch of the proof of Corollary 3.5. Note that the algorithm 
does not determine the group G if it is solvable, even if / is irreducible. One does 
obtain the prime divisors of #0 if G is solvable. 

Theorem 3.2 suggests that the largest groups are the hardest to determine. How- 
ever, the following result, which is taken from [34], shows that the very largest ones 
can actually be dealt with in polynomial time. As above, let Sn denote the full 
symmetric group of degree n, and let An be the alternating group of degree n. 

Theorem 3.6. There is a good algorithm that given K and f decides whether the 
Galois group of f is Sn and whether or not it is An- 

For this, one may by the above assume that n > 8. From the classification of 
finite simple groups it follows (see [18]) that the only sixfold transitive permutation 
groups of degree n are An and Sn- Hence, if we build up the splitting field of / over 
K as in the proof of Theorem 3.2, then G is An or 5„ if and only if after adjoining six 
zeroes of / one has obtained an extension of degree l)(n— 2)(n— 3)(n— 4)(n— 5). 
One can distinguish between An and Sn by computing the discriminant A/ of / — 
this comes down to evaluating a determinant, which can be done in polynomial 
time — and checking whether X"^ ~ has a zero in K. 

In a similar way one can decide in polynomial time whether G is doubly tran- 
sitive. If G is doubly transitive, one can determine the isomorphism type of the 
unique minimal normal subgroup of G in polynomial time, a result that is due to 
Kantor [31]. If one attempts to determine G itself, one runs into the following 
problem, which was suggested by Kantor. 

Problem 3.7. Is there a polynomial time algorithm that given K and / as in 
Problem 3.1 and a prime number p decides whether G has a normal subgroup of 
index p7 

Even for p = 2 this appears to be difficult. 

Resolvent polynomials, such as X'^ — A/ in the proof of Theorem 3.6, play a 
much more important role in practical algorithms for determining Galois groups 

than in known complexity results (see [69, 26]). 

Problem 3.8. Is there a way to exploit resolvent polynomials to obtain complexity 
results for varying n? 

The results that we have treated so far are more algebraic than arithmetic in 
nature, the only exception being what we said about Problem 3.4. It should be 
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possible to forimilatc and prove similar results for other sufficiently explicitly given 
fields over which polynomials in one variable can be factored efficiently. We now 
turn to techniques that do exploit the arithmetic of the field. The natural way to 
do this is to first consider the case of finite and local base fields. 

Let E he a. finite field, / € E[X] a nonzero polynomial, and n its degree. As we 
mentioned in 2.8, there is a good algorithm that, given E and /, determines the 
factorization type of / in E[X]. This immediately gives rise to the Galois group G, 
which is cyclic of order equal to the least common multiple of the degrees of the 
irreducible factors of /. One also obtains the cycle pattern of a permutation that 
generates G as a permutation group. Note that already in the case of finite fields 
the order of G may, for reducible /, be so large that the elements of G cannot be 
listed one by one in polynomial time. 

We next discuss local fields. 

Problem 3.9. Given a local field F and a polynomial / G F[X] with a nonzero 
discriminant, determine the Galois group G of / over F. What is the complexity 
of this problem? Is there a good algorithm for it? 

I am not aware of any published work that has been done on Problem 3.9, 

and I will only make a few brief remarks, restricting myself to the case that F 
is non-archimedean. Once a satisfactory theory of factoring polynomials has been 
developed (see 2.11), one can prove an analogue of Theorem 3.2. This does not yet 
solve the problem, since even when / is irreducible the Galois group may have a 
very large order. Tamely ramified extensions are small, however, which suggests 
that the following problem should be doable. 

Problem 3.10. Given F and / as in Problem 3.9, with F non-archimedean, decide 
whether a splitting field of / over F is tamely ramified, and if so determine its Galois 
group over F. Can this bo done in polynomial time? 

When this problem is solved, one is left with wildly ramified extensions, which 
occur only if p is small. In that case, one may first want to consider the following 

problem, which looks harder than Problem 3.10. 

Problem 3.11. Given F and / as in Problem 3.9, with F non-archimedoan, de- 
termine the Galois group of the maximal tamely ramified subextension M of a 
splitting field of / over F. Can this be done in polynomial time? 

If / is irreducible of degree n, then the field M in Problem 3.11 has degree at 
most over F. This follows from a group-theoretic argument that was shown to 
me by I. M. Isaacs. 

Even when all local problems are completely solved it is not clear whether they 
are very helpful in solving Problem 3.1. There is a well-known heuristic technique 
that can be used to obtain information about the Galois group, which comes down to 
first considering the local Galois group at primes that do not divide the discriminant 
of / (see [73, §1]). Not much can be proved about this method, however (cf. [34, 
§4]). G. Cornell has suggested to look instead at the ramifying primes, the rationale 
being that Problem 3.1 should be reducible to the case K = Q, in which case the 
Galois group is generated by the inertia groups. 

4. Rings of integers 
In this section we consider the following problem and its complexity. 
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Problem 4.1. Given an algebraic number field K, determine its ring of integers 
O. 

Constructing an order in K as in 2.10 we see that this problem is equivalent to 
the following one. 

Problem 4.2. Given an order j4 in a number field K, determine the ring of integers 
O of K. 

Much of the Utcraturc on this problem assumes that the given order is an equa- 
tion order Z[a], and it is true that equation orders offer a few advantages in the 
initial stages of several algorithms. It may be that in many practical circum- 
stances one never gets beyond these initial stages (cf. [8, Preface]), but in the worst 
case — which is what we are concerned with when we estimate the complexity of a 
problem — these advantages quickly disappear as the algorithm proceeds. For this 
reason we make no special assumptions about A except that it is an order. 

Most of what we have to say about Problem 4.2 also applies to the following 
more general problem. 

Problem 4.3. Given a commutative ring A of which the additive group is isomor- 
phic to Z" for some n, and that has a nonvanishing discriminant over Z, determine 

the maximal order in A(g)z Q- 

It is not difficult to show that Problems 4.2 and 4.3 are equivalent under deter- 
ministic polynomial time reductions. 

The main result on Problem 4.1, which is due to Chistov [22, 14], is a negative 
one. 

Theorem 4.4. Under deterministic polynomial time reductions, Problem 4.1 is 
equivalent to the problem of finding the largest square factor of a given positive 
integer. 

The problem of finding the largest square factor of a given positive integer m is 
easily reduced to Problem 4.1 by considering the number field K = Q(v^). For 
the opposite reduction, which in computer science language is a "Turing" reduction, 
we refer to the discussion following Theorem 4.6 below. 

Since there is no known algorithm for finding the largest square factor of a given 
integer m that is significantly faster than factoring m (see [43, §2]), Theorem 4.4 
shows that Problem 4.1 is currently intractable. More seriously, even if someone 
gives us O, we are not able to recognize it in polynomial time, even if probabilistic 
algorithms arc allowed. Deciding whether the given order A in Problem 4.2 equals 
O is currently an infeasible problem, just as deciding whether a given positive 
integer is squarefree is infeasible. This is not just true in theory, it is also true in 
practice. 

One possible conclusion is that O is not an object that one should want to work 
with in algorithms. It may very well be that whenever O is needed one can just 
as well work with an order A in K , and assume that A equals O until evidence to 
the contrary is obtained. This may happen, for example, when a certain nonzero 
ideal of A is found not to be invertible; in that case one can, in polynomial time, 
construct an order A' in K that strictly contains A and proceed with A' instead of 
A. 

If it indeed turns out to be wise to avoid working with O, then it is desirable that 
more attention be given to general orders, both algorithmically and theoretically 
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(cf. [59]). This is precisely what has happened in the case of quadratic fields (cf. 
[45, 49, 28]). 

The order A equals O if and only if all of its nonzero prime ideals p are nonsin- 
gular; here we call p nonsingular if the local ring Ap is a discrete valuation ring, 
which is equivalent to dim^/p p/p^ = 1. One may wonder, if it is intractable to find 
O, can one at least find an order in K containing A of which the singularities are 
bounded in some manner? One result of this sort is given below in Theorem 4.7; 
it implies that given A, one can find an order B m K containing A such that all 
singularities p of B are plane singularities, i.e., satisfy dim^/p p/p^ = 2. 

The geometric terminology just used should remind us of a situation in which 
there does exist a good method for finding the largest square factor, namely, if 
we are dealing with polynomials in one variable over a field. Thus, Theorem 4.4 
suggests that, for a finite field E, finding the integral closure of the polynomial ring 
E[t\ in a given finite extension of E{t) is a tractable problem, and results of this 
nature have indeed been obtained (see [22]). In geometric language, this means 
that it is feasible to resolve the singularities of a given irreducible algebraic curve 
over a given finite field. The corresponding problem over fields of characteristic zero 
has been considered as well (see [71]), and one may wonder whether the geometric 
techniques that have been proposed can also be used in the context of Problem 
4.2. In any case, we can formulate Problem 4.2 geometrically by asking for the 
resolution of the singularities of a given irreducible arithmetic curve. 

For many purposes, resolving singularities is a local problem, but as we see from 
Theorem 4.4 that is not quite the case in the context of algorithms. It may be that 
one only needs to look locally at those prime ideals p of A for which dim^/p p/p^ > 1, 
but how does one find those prime ideals? And likewise, if ^ = Z[X]/ fZ[X] is an 
equation order, then, as all textbooks point out, one only needs to look locally at 
those prime numbers p for which p"^ divides the discriminant of /, but how does one 
find those prime numbers? By contrast, once one knows at which p or p to look, 
the problem does admit a solution. To formulate it we introduce some notation. 

Let A be an order in a number field K of degree n. Let further C be a subring 
of A: for us, the most interesting cases are C = A and C = Z. For any nonzero 
prime ideal p of C we define 

^(P) = {/3 g 0: p^/3 c A for some m e Z>o}; 

this is the "p-primary part" of O when viewed modulo A. It is not difficult to show 
that y4(P) is an order in K and that it is the smallest order in K containing A with 

the property that all its prime ideals containing p are nonsingular. In addition, one 
has an isomorphism O/A ^ A^^^ /A of C-modules, with p ranging over the set 

of nonzero prime ideals of C, and A^'''^ — A for all but finitely many p. Thus, to 
determine O, it sufiices to determine all ^4^^). For a single p, we have the following 
result. 

Theorem 4.5. There is a good algorithm that given K, A, C, p as above, deter- 
mines 

This is proved by analyzing an algorithm of Zassenhaus [77, 78]. We briefly 
sketch the main idea. Let us first consider the case C = Z. Denote by p the prime 
number for which p = pZ, and write ^4^^^ = A^^\ 
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One needs a criterion for A to be equal to A^p\ The multiplier ring Ra of a 
nonzero A-ideal o is defined by 

i?„ = {/3 g K: pa C o}; 

this is an order in K containing A. By q we shall denote a typical prime ideal of A 
that contains p, and wc let r be the product of all such q. By standard commutative 
algebra, A equals A^p^ if and only if all q are invertible, and q is invertible if and 
only if i?q = A. Also, each i?q is contained in so that we can decide whether 
or not A equals A^p^ by looking at i?^. More precisely, if i?t = ^ then A = A^p\ 
and if properly contains A then so does A'^p^ , since clearly R^ C A^p). 

I claim that to turn the above considerations into an algorithm it suffices to have 
a way of determining r. Namely, suppose that r is known. Then one can determine 
Rx: by doing linear algebra over Fp, using that pRx/pA is the kernel of the Fp-linear 
map A/pA End(r/pr) that sends each x G A/pA to the multiplication-by-x map. 
If this map is found to be injectivc, then i?t = A, and the algorithm terminates 
with A^P^ = A. If it is not injective, then R^ strictly contains A. In that case one 
replaces A by R^ and starts all over again. Note that the number of iterations is 
bounded by (log | A^|)/(2 logp), where denotes the discriminant of A. 

It remains to find an algorithm for determining r. Since the ideals q are pairwise 
coprime, t is their intersection, so t/pA is the set of nilpotents of the finite ring 
A/pA. It can, again by linear algebra, be found as the kernel of the F^-linear map 
A/pA A/pA that sends each x € A/pA to xP*; here t is the least positive integer 
for which p* > n. 

This concludes the sketch of the algorithm underlying Theorem 4.5 for C = Z. 
For general C, one can either modify the above, or first determine A^p^^ for p = 
charC/p and then find A^P) inside A(p). 

The above algorithm gives, with a few modifications, also something if p is not 
supposed to be prime. This is expressed in the following theorem, which is taken 
from [14]. 

Theorem 4.6. There is a good algorithm that given K and A as above, as well as 
an integer <? > 1, determines an order B in K that contains A^p^ for each prime 
number p that divides q exactly once. 

To prove this, one first observes that it suffices to exhibit a good algorithm 
that given K, A and q either finds B as in the statement of the theorem, or finds 

a nontrivial factorization q = qiq2- Namely, in the latter case one can proceed 
recursively with qi and q2 to find orders Bi, B2, and one lets B be the ring generated 
by Bi and B2- 

To find B ov qi, q2, one applies the algorithm outlined above, with a few changes. 
The first change is that one starts by checking that q is not divisible by any prime 
number p < n; if it is, then either one finds a nontrivial splitting of q, or g is a 
small prime number and one can apply the earlier algorithm. So let it now be 
assumed that q has no prime factors p < n, and that g > 1. The second change 
is that one replaces, in the above algorithm, p and Fp everywhere by q and Z/gZ. 
This affects the linear algebra routines, which are only designed to work for vector 
spaces over fields. However, as we indicated in 2.4, they work just as well for 
modules over a ring Z/qZ, until some division in Z/qZ fails, in which case one 
obtains a nontrivial factor qi of q. The third change is that t/qZ should now be 
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calculated as the "radical of the trace form," i.e., as the kernel of the Z/gZ-linear 
map A/qA Ilom{A/qA,Z/qZ) that sends x to the map sending y to Tr(a;y), 
where Tr: A/qA Z/gZ is the trace map. If g is a prime number exceeding n 
then this is the same r as above. 

One can show that the modified algorithm has the desired properties, see [14]. 
This concludes our sketch of the proof of Theorem 4.6. 

Using Theorem 4.6 we can complete the proof of Theorem 4.4. Namely, suppose 
that one has an algorithm that determines the largest square divisor of any given 
positive integer. Calling this algorithm a few times, one can determine the largest 
squarefree number q for which g^ divides the discriminant of A. Applying the 
algorithm of Theorem 4.6 to g one obtains an order B that contains ^4^^^ for each 
prime p for which divides the discriminant of A, so that B = O. 

We now formulate a result that also gives information about the local structure 
of B at primes p for which p"^ divides g. Let A be an order in a number field K, 
and let g be a positive integer. We call A nonsingular at g if each prime ideal 
of A containing g is nonsingular. We call A tam,e at g if for each prime ideal p 
of A containing g there exist an unramified extension R of the ring Zp of p-adic 
integers, where p = chavA/p, a positive integer e that is not divisible by p, and a 
unit u G R*, such that there is an isomorphism 

limyl/p™ ^ R[X]/{X'' - uq)R[X] 

m 

of Zj,-algebras. As a partial justification of the terminology, we remark that for 
prime g the order A is tame at g if and only if each prime ideal p of ^ containing g 
is nonsingular and tamely ramified over g; this follows from a well-known structure 
theorem for tamely ramified extensions of Zg (see [75, §3-4]). If A is tame at g 
and p is a prime ideal of A containing g, then p is nonsingular if and only if either 
p = char A/ p divides g exactly once or the number e above equals 1, and otherwise 
p is a plane singularity. 

Theorem 4.7. There is a good algorithm that, given an order A in a number field 
K of degree n, finds an order B in K containing A and a sequence of pairwise 
coprime divisors qi, l<i<t, of the discriminant of B, such that 

(i) B is tame at q = Yll^i qi\ 

(ii) all prime numbers dividing q exceed n; 

(iii) B is nonsingular at all prime numbers p that do not divide q. 

This follows from a closer analysis of the algorithm of Theorem 4.6. Using this 
theorem and the properties of tameness, one can deduce the following result, which 
expresses that one can approximate O as closely as can be expected on the basis of 
Theorem 4.4. 

Theorem 4.8. There is a good algorithm that, given an order A in a number 
field K , finds an order B in K containing A and a positive integer q dividing the 
discriminant of B such that B = O if and only if q is squarefree, and such that the 
primes dividing [O : B] are exactly those that appear at least twice in q. Moreover, 
there is a good algorithm that given this B and a nontrivial square dividing q finds 
an order in K that strictly contains B. 

Next we discuss an algorithm that does a little more than the algorithm of 
Theorem 4.5. Namely, in addition to finding A^^\ it also finds all prime ideals 
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of A^'''') containing p. It depends — not surprisingly, if one considers the case of an 
equation order Z[a] — on an algorithm for factoring polynomials in one variable over 
a finite field, see 2.8. Due to this ingredient it is not a deterministic polynomial 
time algorithm any more, and it has no extension as Theorem 4.6 that works for 
nonprimes. 

Theorem 4.9. There is a probabilistic algorithm that runs in expected polynomial 
time, and there is a deterministic algorithm that runs in sj char C/p times polyno- 
mial time, that given K, A, C, p as in Theorem 4.5, determine 

(i) all prime ideals of A containing p; 

(ii) the order A^P); 

(iii) all prime ideals of A'^'''^ containing p. 

One can do part (i) by analyzing the structure of the finite ring A/pA, as the 
reader may check; below wc give a different argument. Once one has (i), one can 
do (ii) by Theorem 4.5 and (iii) by applying (i) to A^^\ We sketch an alternative 
way to proceed, in which one constructs A^'''^ and the prime ideals simultaneously 
without appealing to Theorem 4.5. Let it first be assmncd that C = A. 

The algorithm works with a list of pairs B, q for which B is an order in K with 
Ac Be ^(P) and q is a prime ideal of B containing p. Initially, there is only one 
pair on the list, namely, A, p. The purpose of the algorithm is to achieve that q is 
nonsingular as a prime ideal of B, for each pair B, q on the list. If that happens, 
then ^ is the sum of all B's, and, as it turns out, the ideals q^^^^ are pairwise 
distinct and are precisely all prime ideals of A^P) containing p. 

The algorithm deals with a given pair B, q in the following manner. First one 
determines, by means of linear algebra over the finite field B/q, an element j G K 
with 7 ^ B, 7q C B; such an element exists, see [75, Lemma 4-4-3]. Next, one 
considers 7q. If 7q ^ q, then q is nonsingular, and the pair B, q is left alone. 
Suppose now that 7q C q. Then B[-j] is an order in K in which q is an ideal, and 
using linear algebra one determines the minimal polynomial g of (7 mod q) over the 
field B/q. This polynomial is factored into irreducible factors over B/q. For each 
irreducible factor (h mod q) of g, one now adds the pair ^[7], q + h{'y)B['y] to the 
list, and one removes B, q. 

The above is repeated until all pairs are nonsingular. 

If C ^ A, then one replaces the pair C, p by A' = C + pA, pA; note that pA 
is a prime ideal of A' with A' /pA = C/p. Applying the above with A' in the role 
of A one finds the order A'^P) and all of its prime ideals containing p. One easily 
shows that A^P^ = A'(P\ and intersecting the prime ideals just mentioned with A 
one finds (i). This concludes the sketch of the proof of Theorem 4.9. 

We note that the above algorithm also gives a convenient way of evaluating 
the valuations corresponding to the prime ideals containing p. Namely, for each 
nonsingular pair B, q the corresponding valuation v is given by 

v{l3) = max{m e Z>o: 7™/3 e B] 

for (3 G B, (3 ^ 0, where 7 is as constructed in the algorithm. Since each element 
of K can be written as a quotient of elements of B this allows us to compute u(/3) 
for each (3 G K. 

It is well known that the p-adic valuations of a number field K = Q(q;) corre- 
spond bijectively to the irreducible factors of / over Qp, where / is the irreducible 
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polynomial of a over Q. Thus Theorem 4.9 suggests that factoring polynomials in 
one variable over Qp to a given precision can be done by a probabilistic algorithm 
that runs in expected polynomial time and by a deterministic algorithm that runs 
in times polynomial time. A result of this nature is given in [14]; see also [21], 
where a more direct approach is taken. 

We close this section with a problem that is geometrically inspired. 

Problem 4.10. If all singularities of A are plane singularities, can the algorithm 
of Theorem 4.9 be arranged in such a way that the same applies to all rings B that 
are encountered? 

It may be of interest to see whether the methods that have been proposed for 
the resolution of plane curve singularities [11, 71] shed any light on this problem. 
One may also wish to investigate the algorithm of Theorem 4.6 from the same 
perspective. 

An affirmative answer to Problem 4.10 may improve the performance of the 
algorithm. This is because the hypothesis on A is often satisfied, for example, if A 
is an equation order or a "generalized" equation order as in 2.10; and finding 7 in 
the algorithm of Theorem 4.9 may become easier if q is at worst a plane singularity, 
so that it can be generated by two elements. 

5. Class groups and units 

In this section we disciiss the following problem and its complexity. 

Problem 5.1. Given an algebraic number field K, with ring of integers O, deter- 
mine the unit group O* and the class group CI O of O. 

First we make a few remarks on the statement of the problem. In the previous 
section wc; saw that, given K, the ring O may be very hard to determine and that 
consequently we may have to work with subrings A oiO that, for all we know, may 
be different from O. Thus, it would have been natural to formulate the problem 
for any order A in K rather than just for O. Wc have not done so. for several 
reasons. The first is that only very little work has been done for general orders in 
fields of degree greater than 2. The second is that most difficulties appear already 
in the case A = O and that some additional complications arc avoided. Finally, it 
is to be noted that all algorithms for calculating unit groups and class groups that 
have been proposed are so time-consuming that the effort required in determining 
O appears to be negligible in comparison; and it may very well be that the best 
way of calculating the unit group and class group of a general order A proceeds by 
first determining O, next calculating O* and CIO, and finally going back to A. 

We shall denote by n and A the degree and the discriminant of K over Q. 
It will be assumed that O is given by means of a multiplication table of length 
(2 -|- log |A|)'-'(^), as in 2.10. We shall bound the running times of the algorithms in 
terms of |A|. 

The next question to be discussed is how we wish O* and CI O to be specified. As 
an abstract group, we have O* = (Z/wZ) ® 7""+*"^, where w denotes the number 
of roots of unity in K and r, s denote the number of real and complex archimedcan 
places of K, respectively. Determining O* means specifying the images of the 
standard generators of (Z/wZ) ® Z'"+*~^ under an isomorphism to O*; and we 
also like to be provided with an algorithm that calculates the inverse isomorphism. 



22 



H. W. LENSTRA, JR. 



Using the logarithms at the infinite places (see [37, Chapter V, §1]) and basis 
reduction (see 2.6) one can prove that both these things can be achieved if we have 
a set of generators for O*. However, just writing down a set of generators for O* 
may be very time-consuming. Suppose, for example, that K is real quadratic, i.e., 
n = 2 and A > 0. Then O* is generated by —1 and a single unit e of infinite order. 
It is easy to see that the total number of digits of the coefficients of e on the given 
basis of O over Z equals i?(log A)'^^'^^ , where R denotes the regulator of K; see [37, 
Chapter V, §1] for the definition of the regulator. It is reasonable to conjecture 
that, for an infinite sequence of real quadratic fields, R is as large as A^/^+°(^^. 
Hence we cannot expect to be able to write down s, let alone calciilatc it, in time 
significantly less than A^/^. If we are interested in more efficient algorithms, then 
units must be represented in a different way, for example as a product Yl 7*^^"^^ of 
elements 7 S K* with integer exponents fc(7) that may be very large in absolute 
value. This leads to the question whether there exists a system of generating units 
that one can express in this way using substantially fewer than |A|^/^ bits. Also, 
the following problem is suggested. 

Problem 5.2. Given a number field K, finitely many elements 7 S K*, and, for 
each 7, an integer k{'y) e Z, decide whether e = Yl^ jHi) jg a unit, i.e., belongs to 
O*, and whether it equals 1. If it is a unit, then determine its residue class modulo 
a given ideal and calculate, for a given embedding a: K ^ C, the logarithm of ae 
to a given precision. 

It may be expected that the first of these — recognizing units — can be done by 
means of a good algorithm, even when O is not given, by means of factor refine- 
ment (cf. [7]). Good results on the other problems can probably be obtained with 
diophantine approximation techniques, such as basis reduction (see 2.6). The same 
applies to the following more general problem. 

Problem 5.3. Given a number field K and a finite set F of elements 7 £ K*, find 
sets of generators for the subgroups 

|(fc(7))7erezr: []7'=W = l|, |(fc(7))^er e Z^: j'^^'r) e 0*\ 

of and calculate the regulator of the group of all units of the form n7er 'y''^''\ 
k{"f) e Z, to a given precision. 

Problems of this nature arise in several contexts; in an algorithm for factoring 
integers [44, 17], in the discrete logarithm problem [27, 60], as we shall see below; 
in the determination of unit groups and class groups. 

Returning to Problem 5.1, we still have to describe how we wish the class group 
CIO to be specified. It is a finite abelian group, so we may first of all ask for 
positive integers di, dz, ... , di such that there is an isomorphism ^^Z/d,;Z = 
CIO of abelian groups, and secondly for ideals ai, 02, ... , at such that one such 
isomorphism sends the standard generators of 0^ Z/rfjZ to the ideal classes of the 
a^. Once the class group has been calculated in this sense, it may remain very 
difficult to find the inverse isomorphism; given an O-ideal, to which ideal of the 
form Y\ - a™*^*' is it equivalent? Even testing whether a given ideal is principal may 
be very difficult. 
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The order h = #ClO of the class group is bounded by |A|^/^(n + log|A|)"~^ 
(see Theorem 6.5). The example of imaginary quadratic fields — i.e., n = 2 and 
A < — shows that h is often as large as |A|^/^(log |A|)'^(^\ Hence, if we are 
willing to spend time at least of order |A|^/^ then we could conceivably list all ideal 
classes, and finding the inverse isomorphism might also become doable. 

The first thing to be discussed about Problem 5.1 is whether it can be done 
at all, efficiently or not. This is a question that is strangely overlooked in most 
textbooks, two notable exceptions being [9] and [19]. For the class group, one 
often finds the theorem that every ideal class contains an integral ideal of norm at 
most the Minkowski constant (n!/n")(4/7r)*|A|-'^/^, where s denotes the number of 
complex places of K. However, this does not show that the class group is eff'ectively 
computable if no effective procedure for deciding equivalence of ideals is supplied. 

We shall prove a theorem from which the effective computability of O* and CIO 
is clear. We begin by introducing some notation. Let ii" be a number field of 
degree n and discriminant A over Q. A place p of A' is an equivalence class of 
nontrivial absolute values of K. The set of arc;hiinedcan places of K is denoted by 
Soo- For p ^ Soo, the norm OTp of p is the cardinality of the residue class field at 
p. For each place p, let | |p: K ^ R>o denote the unique absolute value belonging 
to p with the property that |2|p = 2 if p is real; |2|p = 4 if p is complex; and 
\K*\p = (^p)'^ if p is non-archimedean. The height H{x) of an element x G K is 
defined by H{x) — Hp max{l, |a;|p}, the product extending over all places p of K. 
For any set S of places of K with Soo C S we let Ks denote the group of S'-units, 
i.e., the subgroup of K* consisting of those x £ K* that satisiy \x\p = 1 for all 
places p oi K with p ^ 5'; in particular, we have Kg^ = O* if O denotes the ring 
of integers of K. 

Theorem 5.4. Let K he an algebraic number field, A its discriminant over Q, and 
s the number of com,plex places of K . Let d = (2/7r)''|A|^/^, and S — Soo U {p: p 
is a finite place of K with 9^p < d} . Then the group Ks is generated by the set of 
those X G Ks for which H{x) < d"^ , and the ideal class group of the ring of integers 
of K is generated by the ideal classes of the finite primes in S. 

The proof of this theorem is given in §6. 

Remark. The example of real quadratic fields shows that it is not reasonable to 
expect that the group Ks^ = O* is generated by elements x for which H{x) is 
substantially smaller than e**. The group Ks in Theorem 5.4 is generally much 
larger than O* , but it is generated by elements that arc much smaller. 

The relevance of Theorem 5.4 for the effective determination of O* and CIO 
comes from the exact sequence 

Q ^ O* ^ Ks ^ Z^-^~ -> CIO ^ 0. 

The middle arrow sends an clement x G Ks to the vector (ordp .T)pg5_5^, where 
ordp a; is the number of factors p in a;; so |x|p = fJtp^ The map Z"^""^"" ^ CIO 

sends (rn(p))p to the ideal class of HpP'"^''^- "^^^ exactness at CIO follows from 
the last assertion of Theorem 5.4, the exactness at the other places is clear. 

To calculate O* and CIO from the sequence, one starts by calculating the set 
of generators of Ks given by Theorem 5.4. It is well known that there are only 
finitely many elements of bounded height in K (see [64, Chapter 2]), and from the 
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proof of this result it is clear that they can be effectively determined. Determining 
the prime ideal factorizations of these generators one finds a matrix that describes 
the map Ks 7,^-^00 Applying algorithms for finitely generated abelian groups 
(see 2.5) one obtains O* and CIO as the kernel and cokernel of this map. 

We now turn to complexity results for Problem 5.1. Most results that have 
been obtained concern quadratic fields (see [45, 61, 28]). For general number fields, 
virtually all that is known can be found in [12] (note that, in that paper, R^/'^'D^ 
in Theorem 2 is a printing error for RT>^ ^ and 13^/2+'^ in Theorem 4 is a printing 
error for R^/'^'D^). The following theorem appears to be true. 

Theorem 5.5. Given K and O, one can determine a set of generators of O* 
and the structure of CIO in time at most (2 + log | Al)*^*^") | A|^/'' by means of a 
deterministic algorithm and in expected time at most (2 + log |A|)'^(")|A|-^/^ hy 
means of a probabilistic algorithm. 

In [12] one finds a weaker version of this result, in which n is kept fixed. The 
more precise result should follow by combining [12] with results that appear in [15]. 

The algorithm underlying Theorem 5.5, for which we refer to [12] and the ref- 
erences given there, is not the same as the method for effectively determining O* 
and CIO that we just indicated. However, there does exist a connection between 
the two methods. Namely, the proof of Theorem 5.4 depends on a lemma from 
combinatorial group theory that constructs a set of generators of a subgroup H 
of a group G from a set of generators of G itself (sec Lemma 6.3), whereas the 
algorithm of Theorem 5.5 constructs generators of the group O* by letting it act 
on a certain graph; and it is well known that these two subjects are closely related 
(see [63]). It would be of interest to understand this connection better, and to see 
whether Theorem 5.5 can be deduced from a suitable version of Theorem 5.4. 

The higher exponent 3/4 in Theorem 5.5 in the case of a deterministic algorithm 
is due to the use of algorithms for factoring polynomials over finite fields (see 2.8). 
It suggests the following problem. 

Problem 5.6. Can the exponent 3/4 in Theorem 5.5 be replaced by 1/2? 

For quadratic fields the answer is affirmative. It is likely that the method by 
which this is shown, which is not completely obvious, carries over to general number 
fields. 

We close this section with an imprecise description of a probabilistic technique 
for the solution of Problem 5.1. 

Let the notation be as introduced before Theorem 5.4, and let S consist of the 
archimedean primes of K and the non-archimedean primes of norm up to a certain 
bound b. One supposes that one has a method of drawing elements of Kg that are 
"random" in a certain sense. For example, the method might consist of drawing 
elements x oi K whose coordinates on the given vector space basis of K over Q are 
uniformly distributed over a certain set of rational numbers, such as the positive 
integers up to a certain bound, and keeping only those x that are found to belong 
to Kg. 

To determine the class group and the units, one draws elements of Kg until one 
has the feeling that the subgroup H that they generate is equal to all of Ks- One 
may get this feeling if the number of elements that have been drawn is well over 
#5, which is the minimal number of generators of Kg as an abelian group, and if it 
happened several times in succession that a newly drawn element of Kg was found 
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to belong to the subgroup generated by the elements drawn earlier; if Problem 
5.3 has a satisfactory solution then this can be tested. Assuming that H = Kg 
one can determine O* and CIO, as above, as the kernel and cokernel of the map 
(j): H ^ Z^-Soo -tiiat sends x to (ordp a;)pgs-Soc- 

In general, one does not know that H = Ks , so that ker (j) and coker (j) can only 
be conjectured to be O* and CIO, respectively. One does know that there is an 
exact sequence 

0^kei(f>^O* ^ Ks/H coker^ ^ CIO ^ (C10)/Cs ^ 0, 

where Cs is the subgroup of CI O generated by the ideal classes of the finite primes 
in S. The sequence shows that H has finite index in Ks if and only if the conjectured 
class group coker (/> is finite and the Z-rank of the conjectured unit group ker mod 
torsion is the same as it is for the true unit group O*, namely ^^oo — 1- If -ff has 
infinite index in Ks one should of course continue drawing elements of Ks- 

The information that one has about the relation between the conjectured class 
group coker (j) and the true class group CI O is particularly meagre: one has a group 
homomorphism coker — > CIO, but neither its injectivity nor its surjectivity is 
known. It is surjective if and only if the ideal classes of the finite primes in S 
generate the class group, and results of this nature are known only if the bound 
b that defines S is at least |A|^/^ times a constant depending on n. However, a 
significant improvement is possible if one makes an unproved assumption. Namely, 
Bach [6, Theorem 4] showed that if the generalized Riemann hypothesis holds, 
then CIO is generated by the ideal classes of the prime ideals of norm at most 
12 (log I A|)^. Hence if we assume the generalized Riemann hypothesis then the map 
coker — > CIO is surjective for values of b that are much smaller than |A|-^/^. If 
the map is surjective, then the above exact sequence shows that 

(5.7) h'R' ^hR-[Ks : H], 

where h = #C10 and R = regO* are the true class number and regulator, and 
h' = # coker (/) and R' = regker^ the conjectured ones; here we assume that H 
contains all roots of unity in K, which can easily be accomplished [56, §5.4]. Now 
suppose that we are able to estimate hR up to a factor 2, i.e., that we can compute 
a number a with a/2 < hR < a; if one assumes the generalized Riemann hypothesis 
this can probably be done by means of a good algorithm, as in [16]. Then we see 
from (5.7) that h'R' also satisfies a/2 < h'R' < o if and only ii H = Ks, and if and 
only if one has both ker^ = O* and coker </> = CIO. 

The above indicates that on the assmnption of the generalized Riemann hypoth- 
esis it may be possible to find a much faster probabilistic algorithm for determining 
O* and CIO than the algorithm of Theorem 5.5. This leads to the following prob- 
lem 

Problem 5.8. Assuming the truth of the generalized Riemann hypothesis, find a 
probabilistic algorithm for Problem 5.1 that, for fixed n, runs in expected time 

exp(0((log|A|)i/2(loglog|A|)i/2)), 

the O-constant depending on n. 

Of course, one also wants to know how the running time depends on n, and which 
value can be taken for the O-constant. For imaginary quadratic fields Problem 5.8 
has been solved [28]. For a partial solution in the general case, see [13]. 
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6. Explicit bounds 

In the present section we prove a few explicit bounds on units and class numbers 
of algebraic number fields, including Theorem 5.4. Several proofs in this section are 
most naturally formulated in terms of ideles, as in [20, Chapter II]. To stress the 
elementary character of the arguments I have chosen to use more classical language. 

We denote by K an algebraic number field of degree n and discriminant A over 
Q, and by r and s the number of real and complex places of K, respectively. We 
embed K in K-£i = K^q R, which, as an R-algebra, is isomorphic to R*" x C*. We 
choose such an isomorphism, so that each element a G Kji has r + s coordinates a,, 
of which the first r are real and the last s complex. We put n, = 1 for 1 < i < r and 
2 for r + 1 < i < r + s. The norm N: i^R ^ R is defined by Na = n[=r Ifljl"'- 

Identifying each copy of C with R^ by mapping x + yi to {x + y,x — y) we 
obtain an identification of Kji with the n-dimensional Euclidean space R". It is 
well known that this identification makes the ring of integers O oi K into a lattice 
of determinant |A|^/^ in K^i, and more generally every fractional C-ideal a into a 
lattice of determinant 9Ta • | A|^/^, where 91 denotes the ideal norm. We shall write 

d= (2/7r)^|A|i/2. 

Let be a set of places of K with C 5. By Ig we denote the group of 
fractional O-ideals generated by the finite primes in S, and by Kg, as in §5, the 

group {a G K*: Oa E Is}- Denote by is'- Ks x Is the embedding defined by 

isa = (a, Oa). We give x Is the product topology, where Is is discrete. For any 
compact set B c x Is the set B n igKs consists of elements of bounded height 

and is therefore finite. Hence isKs is discrete. Also, isKs is clearly contained in 
the subgroup Vs of x Is consisting of those pairs (a, a) for which Na = 7ta. 

Theorem 6.1. Let K be an algebraic number field, and let S be a set of places of 
K containing Soo and containing all finite places p with 9lp < d, with d as above. 

Let Vs be as above, and denote by Fs the set of all elements (&, b) € Vs for which 
b C O, OTb < d, and \bi\ < d^/" for 1 < i < r + s. Then Fs is a compact subset of 
Vs and Vs = Fs ■ isKs- 

Proof. The compactness of Fg follows easily from the definition of Fs and the 
fact that Vs is closed in K-r. x Is. To prove the last assertion, let (a, a) G Vs. 
Then a ■ is a lattice of determinant Na ■ |A|i/2 • Ola"^ = |A|i/2 in /sTr. By 
Minkowski's lattice point theorem there exists a nonzero element h G aa~^ with all 
\bi\ < c?^/". From Ob C aa~^ it follows that Ob = aa~^h for some integral O-ideal 
b. Comparing determinants we see that Nb = 9Tb, so 9lb < d. This implies that 
b G Is, so we have (6, b) G Fs. If we write b = ac then c is a nonzero element of 
o~^, so c G K* . Since we also have Oc = a~^b G Is, we even have c G Ks, so 
(a, a) — (6, b) • isc^^- This proves Theorem 6.1. 

It follows from Theorem 6.1 that Vs/isKs is compact, if S is as in the theorem. 
This allows one to deduce the Dirichlet unit theorem and the finiteness of the class 
number. Namely, take for S the set of all places of K. From the exact sequence 
— > Vs^ — > Vs — > /s — > one obtains an exact sequence 

^ Vs^/is^O* ^ Vs/isKs ^ CIO ^ 0, 

where O* and CI O are as in §5. The map to CI O is continuous if the latter is given 
the discrete topology. Thus the compactness of Vs/isKs implies that Vs^/isoo^* 
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is compact, which is essentially a restatement of the Dirichlet unit theorem, and 
that CIO is finite. In the same way one proves that Vs/isKs is compact for every 
set S of primes containing Soo, not just for those from Theorem 6.1. 

From the exact sequence and Theorem 6.1 we see that every element of CIO 
is the ideal class of an integral ideal b of norm at most d. This implies the last 
assertion of Theorem 5.4. It also follows that d>l. The other assertion of Theorem 
5.4 is a special case of the following theorem, in which the height H is as defined 
in §5: 

r+s 

H{a) = 91(0 + Oa)-i • ]J max{l, |ai|}"'. 

i=l 

Theorem 6.2. Let K, S be as in Theorem 6.1, with S finite. Write mg = 

max{*Jlp: p G 5 — Soc} if S ^ S.^c and ms = I if S = Soo- Then the group 
Ks is generated by the set of those a S Kg satisfying H{a) < dms and also by the 
set of those a G O (1 Ks satisfying H{a) < (Pms. 

For the proof we need a lemma from combinatorial group theory, as well as a 
topological analogue. 

Lemma 6.3. Let G be a group, P a set of generators for G, and H a subgroup 
of G. Let F be a subset of G such that G = FH. Then H is generated by its 
intersection with F~^PF = {x~^yz: x,z G F,y G P}. 

Proof. Replacing P by PUP~^ we may assume that P = P~^, and replacing F by 
a subset we may assume that the multiplication map F x H ^ G is bij active. Let 
J C -ff be the subgroup generated by iJ fl F~^PF. li y € P, z G F, then yz = xh 
for some x £ F, h E H, and then h = x~^yz G H D F~^PF C J. This proves 
that PF c F.J, so PFJ c FJ. Hence the nonempty set FJ is stable under left 
multiplication by P, which by our assumptions on P implies that FJ = G. Prom 
J C H and the bijectivity of F x H ^ G we now obtain J = H. This proves 
Lemma 6.3. 

Lemma 6.4. Let G be a Hausdorff topological group, and denote by Gi the con- 
nected component of the unit element 1 of G. Let P C G be a subset containing 1 
such that G is generated by PUGi. Let H C G be a discrete subgroup, and let F be 
a compact subset of G such that G = FH. Then H is generated by its intersection 
with F-'^PF. 

Proof The setHnP-'^F lies in the discrete subgroup H, so {G- H)[J{HnF-'^F) 
is open, and it contains the compact set F~^F. Hence it contains F^^UF for 
some open neighborhood U of 1. Intersecting with H we see that H D F^^F = 
H n F~^UF. The subgroup of G generated by U is open, so it contains Gi. 
Therefore G is generated by PDU. Applying Lemma 6.3 we find that H is generated 

by 

H n {F-\PUU)F) = {Hn F-^PF) U{Hr\ F~^UF) 

= {Hn F-^PF) u (if n p-^F) ^{Hn p-^PF), 

where in the last step we use that 1 G P. This proves Lemma 6.4. 
To prove Theorem 6.2, we apply Lemma 6.4 to 



G = Vs, H = isKs, F = Fs, 
P = {xGVs: a;2 = l}u{((5^p)V",p): pgS-5oo}, 
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where Fg is as in Theorem 6.1 and where (OTp)"'^/" is viewed as an clement of 
via the natural inclusion R* C K^. Using Theorem 6.1 one readily verifies that the 
conditions of Lemma 6.4 are satisfied. Hence Ks is generated by the set of those 
elements a G Ks for which there exist (6, b), (c, c) G Fg, and {y, i)) G P such that 

ia,Oa) = {b,b)-' ■{y,i))-ic,c). 

Then Oa = b~^t)c, so the denominator ideal den a of a divides b. For all i G 
{1,2,... ,r + s} we have 

\bi\ < rf^/", \yi\ < m^", \ci\ < rfi/", 
so for each subset J C {1, 2, . . . , r + s} we have 

n < rf"'/" where nj = J2 

i£.J ieJ 

l[\air = l[\bi\-"^\ci\^*\yir <mb-' ■ d- ms. 
ieJ ieJ 

Choosing J = {i: \ai\ > 1} we obtain 

H{a) = OT(dena) • [ail"' < 01b • 01b'=-^ ■d-ms = d-ms. 
ieJ 

This proves the first assertion of Theorem 6.2. To prove the second assertion, we 
use Minkowski's lattice point theorem to choose a nonzero element b' G b with 
< {d ■ *Jlb)^/" for all i. Then b'b~^ is an integral ideal of norm at most d, so 
b' eOn Ks. Also b'aGOn Ks, and we have 

H{b') =Y[max{l,\b'i\}''* < d-Otb < d^ 

i 

H{b'a) <Y[max{l,\b'^\}"' JJ 

max{l, lai]}"^' 

i i 

<d-mb- mb-^ ■d-ms = d^ms- 

Since we can write a = {b'a)/b', this proves the second assertion of Theorem 6.2. 

Remark. Theorem 6.2 is also valid if the bound rf^mg is replaced by max{d^ms' , dms}, 
where S' = Soo U {p: Olp < d}. This is proved by applying Theorem 6.2 to S' and 
choosing a nonzero element of height at most d ■ Olp in each prime p G S — S' . 

As a further application of Theorem 6.1, we deduce upper bounds for the class 
number ft, = # CI O and for the product hR of the class number and the regulator 
R = regC*. The upper bound for hR resembles the upper bound that Siegel [68] 
proved using properties of the zeta function of K. For similar upper bounds, see 
[58]. 



ALGORITHMS IN ALGEBRAIC NUMBER THEORY 



29 



Theorem 6.5. Let K he an algebraic number field of degree n and discriminant A 
over Q, and let s denote the number of complex places of K. Let d = (2/7r)*|A|^/^. 
Then the class number h and the regulator R of K satisfy 



hR<d- 



(n-1)! 
(logrf)"-^-^ • (n- 1 + logrf)^ 



Proof. We saw above that every ideal class contains an integral ideal of norm at 
most d, so 

/i < #{b C O: mb < d}. 

For each positive integer m, the number of O-idcals of norm m is at most the 
number of vectors x = {xi)^^^ € Z"q satisfying fli^i = proves this by 

considering how rational primes can split in K. Thus we obtain 

#{bce': Otb < rf} < # {a; e Z^q: JJa;i<d}. 

Replacing each x by the box nr=i('^» ^ ^^^i] we can estimate the right side by a 
volume: 

G Z^Q-. '[[xi<d^ < voljx G R>o: ]Jmax{l,a;i} < d| . 

Writing yi ~ logXj we see that the volume is equal to J(n, log rf), where generally 
for n G Z>oj S € R>o we put 

J{n,S)= exp(V?/,)rfy. 

Jj/eR'',i;imax{0,i/i}<'5 ^ j ^ 

This integral is found to be 



n-1 



i=0 

'n 

i=0 



" 1 1\ (n - 1)"-^-'^' _ s (n- l + (5)"-^ 
i ) (n-1)! ~^ (n-1)! ' 



Putting d = logd we obtain the inequality for h. 

For hR, we apply Theorem 6.1 with S equal to the set of all places of K. Let 
u = #5*00 — l = n — 1 — s, and define the group homomorphism A: Vs — > R" x Is 
by A(a, a) = ((n, log |ai|)"^]^, a). This is a surjective group homomorphism with a 
compact kernel, so XisKg is discrete in R'* x Ig with a compact quotient. From the 
definition of the regulator one derives that hR equals the volume of a fundamental 
domain for XisKs in R" x Is- Hence Theorem 6.1 implies that hR < V0IAF5. For 
each nonzero O-ideal b with O^b < d we have, by an easy computation, 

vol A{(6, b) G Vs: \b,\ < dV" for all i} = i'^'^Wm'' 
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Therefore 

<3lb<d 

where the sum is over integral O-ideals b. Proceeding as with h one finds that this 
is bounded above by 

f fx^ \ ('^-Eimax{0,2/0)" 
/ exp > yj-^ j '—dy, 

with 5 = log d. Using that s = n— 1 — u>0 one finds after some computation the 
integral to be 

t^W(" + 0!- in-iy. ■ (n-1)! ' 

This proves Theorem 6.5. 

Remark. The upper bound for h in Theorem 6.5 is also valid when d, at both 
occurrences, is replaced by the Minkowski constant d' = (n!/n")(4/7r)''|A|^/^ of K, 
since every ideal class contains an integral ideal of norm at most d'. 
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